CVE-2017-4928
HIGHVMware vCenter Server < 6.0 U3c - Server-Side Request Forgery and CRLF Injection via Flash-based vSphere Web Client
Title source: manualDescription
The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.vmware.com/security/advisories/VMSA-2017-0017.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039759
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101785
Scores
CVSS v3
7.5
EPSS
0.0017
EPSS Percentile
37.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-352
CWE-918
Status
published
Products (4)
vmware/vcenter_server
5.5 (16 CPE variants)
vmware/vcenter_server
6.0 (11 CPE variants)
VMware/vSphere Web Client
5.5 prior to 5.5 U3f
VMware/vSphere Web Client
6.0 prior to 6.0 U3c
Published
Nov 17, 2017
Tracked Since
Feb 18, 2026